802.1x Feature Overview and Configuration Guide

Transcription

802.1x Feature Overview and Configuration Guide
Technical Guide
802.1x
FEATURE OVERVIEW AND CONFIGURATION GUIDE
Introduction
802.1x is an IEEE standard providing a mechanism for authenticating devices attached to a
LAN port or wireless device. Devices wishing to access services behind a port must
authenticate themselves before any Ethernet packets are allowed to pass through. The
protocol is referred to as 802.1x because it was initially defined in the IEEE standard 802.1x,
published in 2001 and revised in 2004 and again as the current 802.1x 2010 standard.
Networks have two important requirements:

Security: Authentication and Authorization

Flexibility: The ability for users to roam
Networks need a device authentication method that is highly secure, but not tied to a port’s
physical location. Network resources presented to a given user need to be determined from
their authentication credentials.
802.1x user authentication satisfies these requirements. It is relatively uncomplicated and has
little impact on network performance. It is a protocol that is medium-independent —being
equally as effective on wireless connections (802.11i) and wired connections. 802.1x user
authentication is rapidly becoming an expected component on networks.
C613-22005-00 REV A
alliedtelesis.com x
Introduction
Products and software version that apply to this guide
This Guide applies to all AlliedWare Plus products, running version 5.4.4 or later.
Feature support may change in later software versions. For the latest information, see the
following documents:

The product’s Datasheet

The AlliedWare Plus Datasheet

The product’s Command Reference
These documents are available from the above links on our website at alliedtelesis.com.
Content
Introduction.............................................................................................................................................................................1
Products and software version that apply to this guide .......................................................................2
802.1x System Components.........................................................................................................................................3
802.1x component protocols..............................................................................................................................3
Example message sequence .................................................................................................................................5
Basic Steps in 802.1x Configuration..........................................................................................................................6
Multi-supplicant modes............................................................................................................................................6
Single supplicant...........................................................................................................................................................7
Multi-host.........................................................................................................................................................................7
802.1x VLAN Assignment ...............................................................................................................................................8
Dynamic VLAN assignment...................................................................................................................................8
802.1x Configuration Example.....................................................................................................................................9
Dynamic VLAN assignment with multiple supplicants........................................................................ 11
Using a guest VLAN................................................................................................................................................ 13
Verify the operation of 802.1x.................................................................................................................................. 14
Names of commands used ................................................................................................................................ 15
Page 2 | 802.1x
802.1x System Components
802.1x System Components
There are three main components to a system using 802.1x port authentication control:

Authenticator: the device that wishes to enforce authentication before allowing access to
services that are accessible behind it. An example of this is a switch that has 802.1x port
authentication control enabled.

Supplicant: the client that wishes to access services offered by the authenticator’s system.
An example of this is a Windows XP Professional PC with an 802.1x client.

Authentication server: the device that uses the authentication credentials supplied by the
supplicant, to determine if the authenticator should grant access to its services. The
AlliedWare Plus implementation of 802.1x supports the use of a RADIUS. authentication
server using Extensible Authentication Protocol (EAP) in conjunction with RADIUS.
Figure 1: 802.1x system components
RADIUS
Server
Authentication Server
Switch
Authenticator
Supplicants
802.1x component protocols
There are two protocols involved in the authentication conversation:
1. EAPoL exchanged between the supplicant and authenticator.

2.
EAPoL—Extensible Authentication Protocol over LAN— is the protocol defined in
IEEE802.1x.
RADIUS exchanged between the authenticator and authentication server.

RADIUS has received specific extensions to interoperate with EAPoL.
802.1x | Page 3
802.1x System Components
The diagram below illustrates where EAPoL and RADIUS protocols are used in the
authentication conversation:
Figure 2: 801.X component protocols
RADIUS
RADIUS
Server
EAPoL
Authentication Server
Switch
Authenticator
Supplicants
Table 1: Basic steps in an 802.1x conversation
Page 4 | 802.1x
STEP
ACTION
1
The supplicant informs the authenticator that it wants to initiate the conversation.
2
The authenticator requests the supplicant's credentials.
3
The supplicant sends username/password or X.509 certificate.
4
The authenticator wraps the supplicant's reply into a RADIUS packet and sends it to the
RADIUS server.
5
The RADIUS server chooses an authentication method, and sends an appropriate request
to the supplicant as a ‘challenge’.
6
The RADIUS server and supplicant exchange some messages, ferried by the authenticator.
7
The RADIUS server eventually decides if the supplicant is allowed access and the RADIUS
server sends an Access-Accept or Access-Reject message to the Authenticator.
8
The authenticator sends an EAPoL-Success or EAPoL-Fail to the supplicant.
9
The supplicant has a session using the network (if accepted).
10
When the session is over, the supplicant sends a log-off message.
802.1x System Components
Example message sequence
The diagram below illustrates an exchange using the EAP-MD5 authentication method,
which is the simplest authentication method supported by 802.1x.
The EAPoL log-off message, of course, is not sent immediately after the other messages in
the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to
disconnect from the network.The EAPoL log-off message, of course, is not sent immediately
after the other messages in the diagram, but is sent later on, at the end of the supplicant’s
data session, when it wishes to disconnect from the network.
Figure 3: EAPoL message sequence
Supplicant
EAPOL conversation
between supplicant
and switch.
Authentication Server
(RADIUS server)
Authenticator
1 EAPOL-Start
EAP-Request/Identity
2
3 EAP-Response/Identity (MyID)
4
EAP-Request-Challenge (MD5)
Radius-Access-Request
Radius-Access-Challenge
6 EAP-Response-Challenge (MD5)
Radius-Access-Request
6 EAP-Request
Radius-Access-Challenge
Radius-Access-Accept
Authentication
success
EAP-Success
8
Authentication
fail
EAP-Fail
8
Port authorized
Radius-Access-Reject
10 EAPOL-Logoff
RADIUS conversation
between switch and
RADIUS server.
7
7
Port unauthorized
Data Session
Authentication
terminated
5
9
Port unauthorized
802.1x | Page 5
Basic Steps in 802.1x Configuration
Basic Steps in 802.1x Configuration
To configure the switch operating as authenticator, follow the instructions below:
Figure 4: Configuring 802.1x basic steps
192.168.1.250
RADIUS
Server
192.168.1.45
Authentication Server
port1.0.5
Switch
Authenticator
Supplicant
Step 1: Configure a RADIUS server for the switch to send requests to
awplus(config)# radius-server host 192.168.1.250 key <secret-key>
Step 2: Instruct 802.1x to use the configured RADIUS server
awplus(config)# aaa authentication dot1x default group radius
Step 3: Configure port1.0.5 for 802.1x authentication
awplus(config)# interface port1.0.5
awplus(config-if)# dot1x port-control auto
awplus(config-if)# spanning-tree portfast
Multi-supplicant modes
AlliedWare Plus can be configured to accept one or more supplicants downstream of a port.
Three authentication host-modes are available:

single-supplicant: the default state, only one supplicant allowed per port.

multi-host: once the first host on a port is authenticated, all other downstream hosts are
allowed without being authenticated (piggy-back mode).

multi-supplicant: multiple separate supplicants are individually authenticated on one port.
The command (entered in interface configuration mode for a physical port interface) is :
awplus(config-if)# auth host-mode {single-supplicant|multihost|
multi-supplicant}
Page 6 | 802.1x
Basic Steps in 802.1x Configuration
This command controls how the switch deals with the situation where multiple
authentication supplicants are downstream of a single port. This is possible if an EAP passes
through a Layer 2 switch which has been connected to the port, and the supplicants are
attached to that Layer 2 switch.
Single supplicant
The first option that the command can set is single-host. With this option, only one
supplicant may be authenticated on the port. Once that host has been authenticated, no
other supplicants may be authenticated until the first supplicant’s session has closed. This
means, of course, that none of the other hosts downstream of the port will be able to send
or receive traffic on that port.
This option is recommended when you know that there should only be one host connected
to a port. By limiting the port to a single authenticated host, you guard against the
consequences of someone accidentally or maliciously connecting a downstream switch to the
port.
Multi-host
The next available host-mode option is multiple host mode (chosen by the parameter value
multi-host). With this mode, once the first host has been authenticated on the port, all other
downstream hosts are allowed without being authenticated. This is sometimes known as
piggy-back mode. It is useful when the downstream switch attached to the authenticating
port is an intelligent switch that can act as an authentication supplicant.
If you trust that malicious users cannot be connected to that switch but you do not know the
identity of those users, then you can simply authenticate the switch and then allow its
attached users to have network access. If the valid switch is disconnected and an invalid one
is connected which is not configured with the correct authentication credentials, then the
devices connected to the invalid switch will be blocked from accessing the network.
Figure 5: Configuring 802.1x multi-host
Switch or router that
can act as 802.1x supplicant
RADIUS
Server
Authentication Server
x900 Switch
Authenticator
Hosts
Once the supplicant switch/router is authenticated
all traffic from these hosts is allowed
802.1x | Page 7
802.1x VLAN Assignment
802.1x VLAN Assignment
Dynamic VLAN assignment
Whilst the authentication of devices attaching to the network is primarily driven by security
considerations, it has significant spin-off benefits.
Once a device has been authenticated, the network knows the identity of the device and/or
its user. Decisions can be made, based on this identity. In particular, it is possible to decide
what network environment, and level of access, to present to this device and its user.
The standard mechanism via which a user’s network environment is controlled is VLAN
membership. Once a user’s packets are classified into a particular VLAN, the user’s access to
the network will be controlled by the constraints that have been put on that VLAN
throughout the network.
For this reason, it is now common for LAN switches to have the ability to dynamically assign
the VLAN into which a device’s traffic will be classified, once that device has been
authenticated.
Dynamic VLAN assignment is achieved by a collaboration between the authenticator (the
LAN switch) and the authentication server (the RADIUS server). When the RADIUS server
sends back a RADIUS accept message to the authenticator, it can also include other
attributes in that message that identify a VLAN to which the authenticated device should be
assigned.
Dynamic VLAN assignment is a powerful extension to 802.1x, as it enables:

Identity-based networking—the user gets the same environment no matter where they
connect.

Guest Access—guest users are allowed access to very limited parts of the network.

NAC—level of access is based on a workstation’s security status.
Figure 6: Dynamic VLAN assignment
RADIUS access-accept
message says “supplicant is
accepted, put them into VLAN X”
RADIUS
Server
Authentication Server
x900 Switch
Authenticator
Supplicants
Page 8 | 802.1x
802.1x Configuration Example
Authenticator configuration
In addition to the basic 802.1x configuration, some further configuration is required to
enable Dynamic VLAN creation on the switch. The VLANs that can be dynamically assigned
must be present in the VLAN database:
awplus(config)# vlan database
awplus(config-vlan)# vlan x
awplus(config-vlan)# vlan y
awplus(config-vlan)# vlan z
awplus(config-vlan)# exit
Ports that accept VLAN membership dynamically have to be enabled for dynamic VLAN
creation:
awplus(config)# interface port1.0.5
awplus(config-if)# auth dynamic-vlan-creation
802.1x Configuration Example
The following example explains how to configure 802.1x. In this example, the RADIUS
Server keeps the Client information, validating the identity of the Client and updating the
switch about the authentication status of the client. The switch is the physical access between
the two clients and the server. It requests information from the client, relays information to
the server and then back to the client.
To configure 802.1x authentication, first enable authentication on port1.0.1 and port1.0.2
and then specify the RADIUS Server IP address and port.
Figure 7: 802.1x configuration example
Client A
port1.1.1
vlan 4
Client B
192.126.12.1
port1.1.2
Radius
Server
802-1x_1.1
802.1x | Page 9
802.1x Configuration Example
Table 2: 802.1x configuration on the switch
awplus#
configure terminal Enter the Global Configuration mode.
awplus(config)#
aaa authentication dot1x Enable authentication globally.
default group radius
awplus(config)#
interface port1.0.1 Specify the interface (port1.0.1) to be configured and enter the
Interface mode.
awplus(config-if)#
dot1x port-control auto Enable authentication (via RADIUS) on port1.0.1.
awplus(config-if)#
dot1x control-direction Block traffic in both directions, other than authentication packets,
both until authentication is complete.
awplus(config-if)#
exit Exit the Interface Configuration mode and enter the
Global Configuration mode.
awplus(config)#
interface port1.0.2 Specify the interface (port1.0.2) you are configuring and enter the
Interface mode.
awplus(config-if)#
dot1x port-control auto Enable authentication (via RADIUS) on port1.0.2.
awplus(config-if)#
exit Exit the Interface Configuration mode and enter the
Global Configuration mode.
awplus(config)#
radius-server host Specify the RADIUS Server address (192.126.12.1) and
192.126.12.1 auth-port 1812 authentication port.
awplus(config)#
radius-server key secret Specify the shared key secret between the RADIUS server and the
client.
awplus(config)#
interface vlan4 Specify the vlan (vlan4) to be configured and enter the Interface
mode.
awplus(config-if)#
ip address 192.126.12.2/24 Set the IP address on vlan4.
Page 10 | 802.1x
802.1x Configuration Example
Dynamic VLAN assignment with multiple supplicants
In multi-supplicant mode, what happens if two supplicants downstream of the same port are
assigned to different VLANs? The auth dynamic-vlan-creation command has two
parameters that govern the operation in this situation: rule and type.
The rule The first parameter is the rule parameter.
parameter
For SBx8100, SBx908 and x900 Series switches (the situation is different for the x210, x230,
x310, x510, x600, x610 and x930 Series, as we will see below) it is not possible to assign
different VLANs to untagged traffic from different supplicants. On the SBx8100, SBx908 and
x900, dynamic VLAN assignment effectively says ‘the one untagged VLAN to be used on the
authenticating port is VLAN x’. So, if the first supplicant is authenticated and assigned VLAN
45, then the authenticating port will classify all untagged traffic arriving on the port into
VLAN 45. But if a second supplicant downstream of the same port then authenticates, and
the RADIUS server assigns VLAN 56 to that supplicant, the switch then faces a dilemma. It is
already using VLAN 45 as the untagged VLAN on that port; it cannot use VLAN 56 as well.
There are two ways that the switch can resolve this situation. It can:
1. Allow the second supplicant to access the network, but assign its data to VLAN 45.
2. Block the second supplicant from having network access.
The rule parameter configures which of these choices the switch will opt for. If rule is set to
permit, then option (1) above is chosen. If rule is set to deny, then option (2) above is
chosen.
The type The second parameter is the type parameter.
parameter
The type parameter applies only to the x210, x230, x310, x510, x600, x610 and x930 Series
switches. This is because these switches support MAC-based VLANs, whereas the x8100,
x900 Series and SBx908 do not.
The effect of the type parameter is to make use of the x210, x230, x310, x510, x600, x610
and x930 MAC-based VLAN support to provide a better solution to the case where
different supplicants downstream of a single port are dynamically allocated to different
VLANs.
If type is set to the value single, then the MAC-based VLAN capability is not used, and the
port’s behavior in the different-dynamic-VLANs situation will be controlled by the rule
parameter.
However, if type is set to multi, the switch brings the MAC-based VLAN capability into play.
This capability enables it to support multiple different untagged VLANs on the same port.
This is achieved by associating VLAN membership with the source MAC address of the
incoming packets.
So, when different supplicants downstream of a single port are dynamically assigned different
VLANs, the switch simply builds a table that maps supplicants’ MAC addresses to their
dynamically assigned VLANs.
802.1x | Page 11
802.1x Configuration Example
The combination of these parameters results in three options for handling the case where
different VLANs are assigned to supplicants on the same ports.
Option 1
Deny access to supplicant assigned a different VLAN.
If the first supplicant authenticated on the port is assigned VLAN X, then any supplicants
subsequently assigned a different VLAN are denied access. This is the default state when
dynamic VLAN creation is enabled.
This is configured with:
awplus(config-if)# auth dynamic-vlan-creation rule deny
Figure 8: Deny access to supplicant assigned to a different VLAN
1. Supplicant accepted and
assigned VLAN 10
2. Supplicant accepted and assigned to VLAN11.
Authenticator allows access.
Option 2
Force all supplicants into the same VLAN
If the first supplicant authenticated on the port is assigned VLAN X, then any supplicants
subsequently assigned a different VLAN are allowed access, but forced into VLAN X
This is configured with:
awplus(config-if)# auth dynamic-vlan-creation rule permit
Figure 9: Force all supplicants into the same VLAN
1. Supplicant accepted and
assigned VLAN 10
x900 Switch
Authenticator
2. Supplicant accepted by RADIUS server
and assigned VLAN 11. Authenticator
allows access, but puts supplicant into
VLAN 10.
Page 12 | 802.1x
802.1x Configuration Example
Option 3
Dynamically assign multiple VLANs to one port
On the x210, x230, x310, x510, x600, x610 and x930 switches, it is actually possible to
assign different VLANs to different supplicants downstream of the same port.
This is configured with:
awplus(config-if)# auth dynamic-vlan-creation rule permit type
multi
Figure 10: Dynamically assign multiple VLANs to one port
1. Supplicant accepted and
assigned VLAN 10
x600 Switch
Authenticator
2. Supplicant accepted and assigned to VLAN 11.
Authenticator allows access and allocates this
supplicant’s data to VLAN 11.
The switch can assign VLAN membership to packets based on source MAC:

Packets from MAC of supplicant 1 are assigned to VLAN10

Packets from MAC of supplicant 2 are assigned to VLAN11
This feature is not supported on SBx8100, x900 and SwitchBlade x908 switches.
Using a guest VLAN
Whilst you need to authenticate the users who will have access to the important services
within your network, you might also want to provide some basic level of access to users who
fail to authenticate.
For example, visitors to an enterprise will often need to have Internet access. It would be
desirable to have a secure, convenient way to provide this Internet access via the corporate
LAN.
By default, 802.1x denies access to users who fail authentication.
Guests are not known to the RADIUS server, so fail authentication. The solution is to
provide a Guest VLAN which is configured with:
awplus(config)# interface port1.0.5
awplus(config-if)# auth guest-vlan <vlan id>
802.1x | Page 13
Verify the operation of 802.1x
Figure 11: Using a guest VLAN
Public/Private
Zone
x600
ACLs used to ensure GUEST VLAN
traffic goes to the Internet and nowhere else
Windows 2008
server
Enterprise CA
server
Supplicant
assigned to guest
vlan
AR770
x900 stack
8000GS
Internet
Private Zone
Client devices
10/100 Link
1 Gigabit Link
Link aggregation
If a supplicant attempts authentication and fails or does not even attempt authentication (no
802.1x client in the PC) then they are dynamically assigned to the guest VLAN.
Verify the operation of 802.1x
When a supplicant has been authenticated on a port the details of the authentication can be
seen with:
show dot1x supplicant int port1.0.5
Interface port1.0.5
authenticationMethod: dot1x
<--- Authenticated by 802.1x
totalSupplicantNum: 1
authorizedSupplicantNum: 1
macBasedAuthenticationSupplicantNum: 0
dot1xAuthenticationSupplicantNum: 1
WebBasedAuthenticationSupplicantNum:
otherAuthenticationSupplicantNum: 0
Supplicant name: Engineer01
<--- Supplicant name
Supplicant address:
<---MAC of authenticated device
0002.b363.319f
authenticationMethod: 802.1x
portStatus: Authorized - currentId: 9
abort:F fail:F start:F timeout:F success:T
PAE: state: Authenticated - portMode: Auto
PAE: reAuthCount: 0 - rxRespId: 0
PAE: quietPeriod: 60 - maxReauthReq: 2
BE: state: Idle - reqCount: 0 - idFromServer: 8
CD: adminControlledDirections: both - operControlledDirections:
both
CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
dynamicVlanId: 20
<--- VLAN assigned, if dynamic VLA
assignment enabled
Page 14 | 802.1x
When a supplicant has been authenticated, and assigned to a VLAN, the port they
authenticated on will then be seen to be a member of that VLAN.
show vlan 20
VLAN ID Name
Type State
Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= ======================
20 Engineering
STATIC ACTIVE port1.0.5(u)
show vlan 30
VLAN ID Name
Type State
Member ports
(u)-Untagged, (t)-Tagged
======= ================ ======= ======= ======================
30 Marketing
STATIC ACTIVE port1.0.5(u)
Names of commands used
dot1x port-control
radius-server host
radius-server key
Validation commands
show dot1x
show dot1x interface
C613-22005-00 REV A
North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021
alliedtelesis.com
© 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.